9. Overview: Impact of Developing Technology on Privacy

Biometric systems

9.64 Biometric
systems enable unique behavioural or physiological attributes of people to be
used for identification and authentication.[126]
Major biometric technologies include finger scanning, facial recognition, iris
and retinal scanning, finger geometry, voice recognition and dynamic signature
verification.[127]
Other biometric technologies include ear geometry, body odour measurement,
keystroke dynamics and gait recognition.[128]
In addition, palm vein biometric systems are being developed for application in
Automated Teller Machine (ATM) transactions.[129]

9.65 In
a typical biometric system, a biometric device, such as a finger scanner, is
used to take a biometric sample from an individual.[130]
Data from the sample are then analysed and converted into a biometric template,
which is stored in a database or an object in the individual’s possession, such
as a smart card.[131]
Later biometric samples taken from the individual then can be compared to the
stored biometric information to determine who the individual is
(identification, or one-to-many matching) or to attempt to authenticate or
verify that an individual is who he or she claims to be (verification, or
one-to-one matching).[132] One-to-one systems currently provide higher accuracy of matches,
although the accuracy of biometric systems varies greatly between systems.[133]

9.66 Biometric
technologies have existed for decades.[134]
The use of biometric technologies is increasing, however, because of
globalisation, developments in information technology, and the desire to
identify individuals in order to manage security threats such as terrorism.[135]
Biometric systems enable the identity of an individual to be ascertained or
authenticated with a fair degree of certainty. Further, advances in biometric
technologies mean that biometric systems are now automated, allowing for ‘mass
identity checks within seconds … with a sufficient degree of certainty’.[136]
For this reason, biometric technologies are increasingly used in identification
systems, along with other passwords or identity objects, such as smart cards.[137]

9.67 Since 2003, members of the European Union have been required to take
fingerprints from all asylum seekers over the age of 14. These fingerprints are
then compared to those in a centralised database to determine whether an asylum
seeker has previously sought asylum in another Member State.[138]
In addition, in 2003, the International Civil Aviation
Organisation (ICAO) published ‘a global, harmonized blueprint for the integration of
biometric identification information into passports and other Machine Readable
Travel Documents (MRTDs)’. The ICAO standards require MRTDs
to include a facial image in a contactless chip.[139]

9.68 Biometric systems are also being introduced by the Australian
Government. For example, in 2003, legislation was passed enabling officials to
collect certain types of biometric information from non-citizens in Australia.[140] The legislation aims
to ensure that non-citizens are identified accurately in order to enable
officials to prevent identity fraud in the visa application process, to
determine which non-citizens are of national security concern, and to detect
forum shopping by visa applicants.[141]
Further, in October 2005, the Australian Government introduced the
‘ePassport’—a passport with an embedded microchip containing, among other
things, a digitised facial image of the passport holder.[142] From 2007, those holding
an ePassport could use an automated border security system called ‘SmartGate’
in two airports in Australia. The SmartGate system uses facial recognition
technology to perform the customs and immigration checks normally performed by
Australian customs officers.[143]
Australian ePassport holders will also be able to participate in the United
States Visa Waiver Program.[144]

9.69 Biometric systems increasingly are being used or contemplated by
organisations, including in methadone programs, taxi booking services, ATMs and
online banking, and access to buildings.[145]

9.70 The use of biometric technologies raises a number of privacy concerns.
These may vary according to the context in which the biometric information is
collected and the type of biometric system in operation.[146] Some of the general
concerns are as follows.

9.71 First, there is a concern that widespread use of biometric systems will
enable extensive monitoring of the activities of individuals.[147] This is so
particularly if the same form of biometric information is used to identify
individuals in a number of different contexts—that is, if a type of biometric
information is used as a unique multi-purpose identifier.[148] Secondly, there is a
concern that biometric technologies, such as facial recognition technologies,
may be used to identify individuals without their knowledge or consent.[149] Thirdly, there is a
concern that biometric information could reveal sensitive personal information,
such as information about a person’s health or religious beliefs.[150] Fourthly, there is a
concern that the security of biometric systems could be compromised and that
biometric information stored in a central or local database, or on an object in
the possession of an individual, could be acquired by those wishing to use it
for some kind of gain.[151]
Finally, the accuracy and reliability of many biometric systems are still
unknown,[152]
causing some to express concern about the potentially serious consequences for
an individual who is falsely accepted or rejected by a biometric system.[153]

9.72 The Council of Europe has cautioned that biometric systems should not
be implemented for the mere sake of convenience.[154] It has recommended
that before introducing a biometric system

the controller should
balance the possible advantages and disadvantages for the data subject’s
private life on the one hand and the envisaged purposes on the other hand, and
consider possible alternatives that are less intrusive for private life.[155]

[126] Biometrics Institute, Biometrics Institute Ltd <www.biometricsinstitute.org> at 5 May 2008; Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 10–11; Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [16].

[131] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [16]; Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 17.

[144] United States Government Department of State, Visa Waiver Program (VWP) (2006) <travel.state.gov/visa/temp/without/without_1990.html> at 24 April 2008.

[145] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 240.

[146] M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002).

[148] M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002). Multi-purpose identifiers are discussed further in Ch 30.

[150] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), 6; M Crompton, ‘Biometrics and Privacy: The End of the World as We Know it or the White Knight of Privacy?’ (Paper presented at Biometrics Institute Conference: Biometrics—Security and Authentication, Sydney, 20 March 2002).

[153] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005); Organisation for Economic Co-operation and Development, Biometric-Based Technologies (2004), 10.

[154] Council of Europe, Progress Report on the Application of the Principles of Convention 108 to the Collection and Processing of Biometric Data (2005), [107].